EAP-TLS works but is reset by Hostap
Mon Sep 11 19:47:55 PDT 2006
On Mon, Sep 11, 2006 at 12:58:18PM -0700, Atif Ikram wrote:
> Here is the log. I couldn't get the entire log in this email, hopefully
> you can find out the issue. Basically, the xsupplicant is running on a
> machine with MAC=00:40:4d:d0:9f:71. Hostap and freeRADIUS are running
> on machine with MAC=00:14:22:43:42:2F
> You can check hostap is receiving DHCP broadcast packet from some other
> machine with MAC=00:08:e5:11:32:33 which doesn't have any supplicant
> running but this causes xsupplicant at MAC=00:40:4d:d0:9f:71 to restart.
> Also, you can notice hostap not processing xsupplicant's messages
> because of a mismatch of Response-Identity with xsupplicant.
Do you use use_pae_group_addr=1 in hostapd.conf? If yes, that would be
enough to explain this issue. The group PAE address can only be used if
there is only going to be one device behind the ethernet port (e.g., a
switch using IEEE 802.1X to authenticate each port separately). If not,
it would sound like xsupplicant would be ignoring the target address of
the EAPOL frame. Taken into account that IEEE 802.1X could be
interpreted to require group PAE address to be used for wired ethernet,
this kind of case where multiple wired clients are using the same port
is not really very well supported..
Could you please capture the frames exchanged during such an
authentication (e.g., with tcpdump or wireshark) and verify that hostapd
is indeed sending out the frames into two different MAC addresses?
Jouni Malinen PGP id EFC895FA
More information about the Hostap